bisecting cause commit starting from e7b08814b16b80a0bf76eeca16317f8c2ed23b8c building syzkaller on a5ce5de0aecba44015705788859d376e5a431ccd testing commit e7b08814b16b80a0bf76eeca16317f8c2ed23b8c with gcc (GCC) 8.1.0 kernel signature: d990f52fc56e6e7b90212b46dc1a927b17a1153243b98ceb1c48aa7742653c53 all runs: crashed: general protection fault in ima_free_template_entry testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: ee928f215e1784f4a3c8531fd4b87f16344127b5b22e684dae57c03d15953dc9 all runs: OK # git bisect start e7b08814b16b80a0bf76eeca16317f8c2ed23b8c 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 14471 revisions left to test after this (roughly 14 steps) [d4271b8fccc0ebe87abe9a393ebfec972f5f6cb0] x86/entry: Convert General protection exception to IDTENTRY testing commit d4271b8fccc0ebe87abe9a393ebfec972f5f6cb0 with gcc (GCC) 8.1.0 kernel signature: e182fd60e4925d74ba2d66e06693a15a1a386a8f4c67c51d38c5bca58654d04a all runs: OK # git bisect good d4271b8fccc0ebe87abe9a393ebfec972f5f6cb0 Bisecting: 7156 revisions left to test after this (roughly 13 steps) [fac3e82a9f91eb28d68b89c54d69f6228022c463] Merge remote-tracking branch 'net-next/master' testing commit fac3e82a9f91eb28d68b89c54d69f6228022c463 with gcc (GCC) 8.1.0 kernel signature: ecd12e1d51c5d1fd3c04368eef42268acd8aa0777facf8e0824334329b35fe4f all runs: OK # git bisect good fac3e82a9f91eb28d68b89c54d69f6228022c463 Bisecting: 3646 revisions left to test after this (roughly 12 steps) [936fc380d697c01737ed0c3248a9f91ed97705f6] Merge remote-tracking branch 'spi/for-next' testing commit 936fc380d697c01737ed0c3248a9f91ed97705f6 with gcc (GCC) 8.1.0 kernel signature: 4377381946a4a9878cff991204fe14a0c2c6d43dad3791834b6e0723de24cced all runs: crashed: general protection fault in ima_free_template_entry # git bisect bad 936fc380d697c01737ed0c3248a9f91ed97705f6 Bisecting: 1689 revisions left to test after this (roughly 11 steps) [32d3bc30d270eec05be52478eb602a016b726684] Merge remote-tracking branch 'drm/drm-next' testing commit 32d3bc30d270eec05be52478eb602a016b726684 with gcc (GCC) 8.1.0 kernel signature: 8246542582af2380df08486cbb33ae814a24589d1942baa8f32d3e4673779c1a all runs: OK # git bisect good 32d3bc30d270eec05be52478eb602a016b726684 Bisecting: 800 revisions left to test after this (roughly 10 steps) [f4bb16af749a1062d855b36a3e0d51260a43eed3] Merge remote-tracking branch 'block/for-next' testing commit f4bb16af749a1062d855b36a3e0d51260a43eed3 with gcc (GCC) 8.1.0 kernel signature: 7c0f49b31951f1f68f6d3ecb9be80d907a64a3b0dfdbe4e1596498e6f0d0848c all runs: OK # git bisect good f4bb16af749a1062d855b36a3e0d51260a43eed3 Bisecting: 407 revisions left to test after this (roughly 9 steps) [d62e5a88c03d55d36e78fc569be5307afe61d89f] Merge remote-tracking branch 'tpmdd/next' testing commit d62e5a88c03d55d36e78fc569be5307afe61d89f with gcc (GCC) 8.1.0 kernel signature: 59fe8385420ba85c31b87d92c422a4b1baeb6e1e5b0dd2b83b18b50960f24295 all runs: crashed: general protection fault in ima_free_template_entry # git bisect bad d62e5a88c03d55d36e78fc569be5307afe61d89f Bisecting: 174 revisions left to test after this (roughly 8 steps) [5ba24b008cb7900cfe07e3bf27ff854e4cf520cc] Merge remote-tracking branch 'mfd/for-mfd-next' testing commit 5ba24b008cb7900cfe07e3bf27ff854e4cf520cc with gcc (GCC) 8.1.0 kernel signature: 96b6151c34a3a9b5d456eac186256898526bbb7be94134dc1f8a67e59d8136a8 all runs: OK # git bisect good 5ba24b008cb7900cfe07e3bf27ff854e4cf520cc Bisecting: 87 revisions left to test after this (roughly 7 steps) [805f64e8b5cf5838b1a0b4b9abce9084db2cf8f4] dt-bindings: power: sbs-battery: Convert to yaml testing commit 805f64e8b5cf5838b1a0b4b9abce9084db2cf8f4 with gcc (GCC) 8.1.0 kernel signature: d1d3196f1e50516264daef0a3f7504e78496f19502497e940a93752bf22d7a8e all runs: OK # git bisect good 805f64e8b5cf5838b1a0b4b9abce9084db2cf8f4 Bisecting: 42 revisions left to test after this (roughly 6 steps) [bd98e81e04e2330d4fbc09c2133b5c2b4bb60a9e] Merge remote-tracking branch 'apparmor/apparmor-next' testing commit bd98e81e04e2330d4fbc09c2133b5c2b4bb60a9e with gcc (GCC) 8.1.0 kernel signature: 531f5bcf0df2381694e5cb5b6c402c0f578e38dad33b3da62cbf4adaacaf9092 all runs: OK # git bisect good bd98e81e04e2330d4fbc09c2133b5c2b4bb60a9e Bisecting: 24 revisions left to test after this (roughly 5 steps) [a75fc5dc00a7961b7b53af051acd2ed2f817af7b] Merge remote-tracking branch 'keys/keys-next' testing commit a75fc5dc00a7961b7b53af051acd2ed2f817af7b with gcc (GCC) 8.1.0 kernel signature: 13f12deef3e77ba501fb0208a5a7d4eb249951fba1663ca954fe9ffacd28cd72 all runs: crashed: general protection fault in ima_free_template_entry # git bisect bad a75fc5dc00a7961b7b53af051acd2ed2f817af7b Bisecting: 8 revisions left to test after this (roughly 3 steps) [6ee28442a465ab4c4be45e3b15015af24b1ba906] ima: Remove redundant policy rule set in add_rules() testing commit 6ee28442a465ab4c4be45e3b15015af24b1ba906 with gcc (GCC) 8.1.0 kernel signature: 0fb36049b3d14feb2a037ec08aab2f27857caef9b0e485997ff33add42f41ff2 all runs: crashed: general protection fault in ima_free_template_entry # git bisect bad 6ee28442a465ab4c4be45e3b15015af24b1ba906 Bisecting: 4 revisions left to test after this (roughly 2 steps) [aa724fe18a8a8285d0071c3bfc932efb090d142d] ima: Switch to dynamically allocated buffer for template digests testing commit aa724fe18a8a8285d0071c3bfc932efb090d142d with gcc (GCC) 8.1.0 kernel signature: 6af5479202b09b5d0ec09f762a074fe09e034ef9ae58a5dab928c63f960f9d30 all runs: crashed: general protection fault in ima_free_template_entry # git bisect bad aa724fe18a8a8285d0071c3bfc932efb090d142d Bisecting: 1 revision left to test after this (roughly 1 step) [e144d6b265415ddbdc54b3f17f4f95133effa5a8] ima: Evaluate error in init_ima() testing commit e144d6b265415ddbdc54b3f17f4f95133effa5a8 with gcc (GCC) 8.1.0 kernel signature: 0f25e5b48f70e6cbb7c2cc0f3c965fd61508da50e340924e2972ac5825400914 all runs: OK # git bisect good e144d6b265415ddbdc54b3f17f4f95133effa5a8 Bisecting: 0 revisions left to test after this (roughly 0 steps) [7ca79645a1f8837c3850b881a2c0b43cfba5dc36] ima: Store template digest directly in ima_template_entry testing commit 7ca79645a1f8837c3850b881a2c0b43cfba5dc36 with gcc (GCC) 8.1.0 kernel signature: e76e5d3f5e57e342c8b68ecefbd322671d965ac7c1603399fc94f2c4251fe2ba all runs: OK # git bisect good 7ca79645a1f8837c3850b881a2c0b43cfba5dc36 aa724fe18a8a8285d0071c3bfc932efb090d142d is the first bad commit commit aa724fe18a8a8285d0071c3bfc932efb090d142d Author: Roberto Sassu Date: Wed Mar 25 11:47:09 2020 +0100 ima: Switch to dynamically allocated buffer for template digests This patch dynamically allocates the array of tpm_digest structures in ima_alloc_init_template() and ima_restore_template_data(). The size of the array is equal to the number of PCR banks plus ima_extra_slots, to make room for SHA1 and the IMA default hash algorithm, when PCR banks with those algorithms are not allocated. Calculating the SHA1 digest is mandatory, as SHA1 still remains the default hash algorithm for the measurement list. When IMA will support the Crypto Agile format, remaining digests will be also provided. The position in the measurement entry array of the SHA1 digest is stored in the ima_sha1_idx global variable and is determined at IMA initialization time. Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar security/integrity/ima/ima.h | 6 +++++- security/integrity/ima/ima_api.c | 10 ++++++++++ security/integrity/ima/ima_crypto.c | 10 +++++++++- security/integrity/ima/ima_fs.c | 4 ++-- security/integrity/ima/ima_queue.c | 10 ++++++---- security/integrity/ima/ima_template.c | 15 +++++++++++++-- 6 files changed, 45 insertions(+), 10 deletions(-) culprit signature: 6af5479202b09b5d0ec09f762a074fe09e034ef9ae58a5dab928c63f960f9d30 parent signature: e76e5d3f5e57e342c8b68ecefbd322671d965ac7c1603399fc94f2c4251fe2ba revisions tested: 16, total time: 4h3m25.861299081s (build: 1h47m56.43285082s, test: 2h13m44.537289222s) first bad commit: aa724fe18a8a8285d0071c3bfc932efb090d142d ima: Switch to dynamically allocated buffer for template digests cc: ["dmitry.kasatkin@gmail.com" "jmorris@namei.org" "linux-integrity@vger.kernel.org" "linux-kernel@vger.kernel.org" "linux-security-module@vger.kernel.org" "roberto.sassu@huawei.com" "serge@hallyn.com" "zohar@linux.ibm.com"] crash: general protection fault in ima_free_template_entry general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] CPU: 0 PID: 8507 Comm: syz-executor.2 Not tainted 5.7.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ima_free_template_entry+0x45/0x140 security/integrity/ima/ima_api.c:27 Code: 54 48 c1 ea 03 55 53 80 3c 02 00 0f 85 fe 00 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5f 10 48 8d 7b 20 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e b0 00 00 00 8b 43 20 85 c0 7e RSP: 0018:ffffc90009b3f538 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000004 RSI: 1ffff92001367ec0 RDI: 0000000000000020 RBP: ffff8880a4d74280 R08: ffffed1015d07104 R09: ffffed1015d07104 R10: ffff8880ae83881b R11: ffffed1015d07103 R12: 0000000000000000 R13: ffff8880a3155d10 R14: ffffffff89237a10 R15: ffff8880a3155d00 FS: 00007f58c7817700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbcd608d010 CR3: 0000000089d9d000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_alloc_init_template+0x350/0x520 security/integrity/ima/ima_api.c:80 ima_add_violation+0xf2/0x1b0 security/integrity/ima/ima_api.c:148 ima_rdwr_violation_check security/integrity/ima/ima_main.c:140 [inline] process_measurement+0xd74/0x1320 security/integrity/ima/ima_main.c:237 ima_file_check+0xb5/0x100 security/integrity/ima/ima_main.c:440 do_open fs/namei.c:3231 [inline] path_openat+0xd5e/0x21c0 fs/namei.c:3346 do_filp_open+0x171/0x240 fs/namei.c:3373 do_sys_openat2+0x2dc/0x500 fs/open.c:1148 do_sys_open+0x85/0xd0 fs/open.c:1164 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45ca69 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f58c7816c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00000000004f6cc0 RCX: 000000000045ca69 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000180 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 0000000000000779 R14: 000000000052569f R15: 00007f58c78176d4 Modules linked in: ---[ end trace a6d49ec808fd8839 ]--- RIP: 0010:ima_free_template_entry+0x45/0x140 security/integrity/ima/ima_api.c:27 Code: 54 48 c1 ea 03 55 53 80 3c 02 00 0f 85 fe 00 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5f 10 48 8d 7b 20 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e b0 00 00 00 8b 43 20 85 c0 7e RSP: 0018:ffffc90009b3f538 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000004 RSI: 1ffff92001367ec0 RDI: 0000000000000020 RBP: ffff8880a4d74280 R08: ffffed1015d07104 R09: ffffed1015d07104 R10: ffff8880ae83881b R11: ffffed1015d07103 R12: 0000000000000000 R13: ffff8880a3155d10 R14: ffffffff89237a10 R15: ffff8880a3155d00 FS: 00007f58c7817700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbcd6098020 CR3: 0000000089d9d000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400